Tuesday, August 03, 2004

Shhh! Part 1

Privacy. How long before it's an alien concept, a quaint reminder of "simpler" times? I'm sure a lot of us recall the descriptions in 1984 of the cameras in every room, watching people all the time - or at least reminding them that they might be being watched, they never knew. Now such cameras, while not (yet) in our homes, surround us. We are recorded at the bank, tracked in the supermarket, scanned as we pass by corporate offices, scrutinized at government facilities. We are observed, measured, tabulated, indexed, and filed.

All the while being told the audacious lie that it's for our own benefit. No, it's not for our benefit at all. So following over the next few days, several items about some aspect of privacy. Who has it and who doesn't.

Certainly, in the face of corporations, we're expected not to.
[A]s banks move away from paper-based transactions, their customers increasingly are bumping into [a] problem. The checks they write become, instead, an electronic debit. And the practice is perfectly legal, unless accountholders object.
What does that passage from an article in the August 2 Christian Science Monitor mean? Simply that instead of actually sending the physical check you wrote to your bank for payment, the creditor will use your account number on the check to generate an electronic debit which is transmitted to your bank and which it in turn uses to pay the creditor by electronic transfer of funds to the creditor's account.
Worse, it and other industry measures that take effect this fall could boost checking-account fraud. ...

"These automatic deductions are obviously much more efficient for the bank and the creditor," says Mark Budnitz, a professor at Georgia State University College of Law and a board member of the National Consumer Law Center. "It saves them money but it also creates more opportunities for checking-account fraud."

Under federal law, creditors must disclose any automatic deductions to a customer's checking account. Electronic payments can be authorized by signing a form or attaching a voided check. But ... a creditor does not have to get written authorization from a consumer. Instead, it is up to the consumer to object (preferably in writing) to the proposed transaction.
That is, pay by check and the recipient of that check can potentially use your account number to access your account to demand payments of subsequent debts, be they real or phony - demands the bank will honor. The creditor does not have to obtain your permission before doing this or even tell you they are. Rather, it's up to you to object - assuming you even know about it beforehand.
Consumers have some protection against checking-account fraud in the Electronic Fund Transfer Act and the Uniform Commercial Code. For electronic debits, provided that you notify the bank right away, the bank typically is required to "recredit" your account with the missing funds - within 10 business days while it investigates.
To which I say, BFD. Notification should not have to be "right away," which simply gives the banks an incentive to hope you don't notice questionable transactions. The amount should be credited immediately upon a complaint, not "within 10 days." And the situation should never arise in the first place because such automatic deductions should exist only when a consumer specifically opts into them and banks should not be allowed to honor such a transaction without proof of the consumer's agreement. And if that's inconvenient for the corporations and banks, too damn bad.
Consumer advocates warn that you can expect even more incidents of checking-account fraud with the Check Clearing for the 21st Century Act or "Check 21," slated to take effect Oct. 28. The new law represents a death knell for the process of banks returning original checks to consumers with their monthly statements or even when there is a problem with a particular check. Instead, if consumers want to inspect checks for forgeries or alterations or to present a canceled check as proof of payment, they usually will have to be content with a new payment instrument called a "substitute check" (based on a digital image of the original check).
Once again putting the risk and the burden on consumers for the convenience and benefit of the banks. It's so bad that even the check processing industry is concerned about the increasing risk of fraud.
NACHA, the electronic payments association, based in Herndon, Va., recommends on its website that consumers protect their checking account.

"It's fine to use your checking account information on the Web or over the phone to pay bills or to pay companies you know and trust," says Michael Herd of NACHA. "But you should safeguard your checking-account information, just as you would your address, phone number, Social Security number, and other account numbers."
And just how the hell are we supposed to do that when the account number is on every check we write? When we can't cash or often even deposit a check without having our account number or other personally-identifying information put on the back (which, at least for now, gives it right back to whoever wrote the check to us)? How are we supposed to guard our social security number when federal law requires it be given in order to open a bank account, obtain a credit card, get a job? When it's being used to ID everything from driver's licenses to medical records to credit reports? How are we to protect our privacy when every single day there are demands that we surrender it in order to do what should be normal transactions of daily life? Who is kidding who here?
"If you are unsure about the merchant, never use a check - use a credit card instead," says George Thomas, president of the Electronic Payments Network, a division of the Clearinghouse, the largest private check processing system, owned by many of the nation's largest banks. "That way, you can avoid the possibility of checking-account fraud down the road."
Screw that. Use cash.

But even using cash isn't good enough to protect you from the clutches of those who think of you as just a mass of data to be manipulated for profit. Consider RFID tags. I've mentioned these suckers before but the Electronic Privacy Information Center sums it up well.
Radio Frequency Identification (RFID) is a type of automatic identification system. The purpose of an RFID system is to enable data to be transmitted by a portable device, called a tag, which is read by an RFID reader and processed according to the needs of a particular application. The data transmitted by the tag may provide identification or location information, or specifics about the product tagged, such as price, color, date of purchase, etc. ... As the technology is refined, more pervasive — and invasive — uses for RFID tags are in the works.
Right now, the tags are primarily used on pallets as inventory controls, which does not present a privacy issue. They're not widely used in consumer products because the price of the tags, about 30 cents each, when combined with the cost of the readers, which can go for $1000 each, simply isn't worth it. But as advancing technology and economies of scale combine to bring the price down, the use of them can be expected to multiply.
Already, developments in RFID technology are yielding systems with larger memory capacities, wider reading ranges, and faster processing. In response, the market for RFID tags is growing explosively, projected to reach $10 billion annually within the decade.
The potential for privacy invasions and the development of extensive databases of individual behavior is enormous. The tags can easily be hidden inside bottle caps, underneath clothing labels, between layers of packaging, inside handles, and a host of other places where consumers will not even know they exist. Those "customer loyalty cards" all stores (or so it seems) are using for the "Special Discounts!" that used to be available to everyone are an obvious place for them.

Some have raised the vision of the chips becoming so ubiquitous that the databases collecting the information could keep track not only of what you buy but where it is in your house, when you move it somewhere else, when you use it, and for how long. Because the transponders can only broadcast over a range of about 15 feet (although one claims a range of 66 feet), that's not a realistic scenario without a dramatic increase in their power. Some have suggested that the readers could become as common as the chips, including being placed in newly-constructed apartments and homes, enabling just such data collection. That, however, doesn't seem very cost-effective without, again, dramatic improvements in the technology and drastic reduction in cost. A likelier possibility is more powerful transponders, able to transmit, say, 100 yards (about 90 meters), coupled with mobile readers - which could allow a van with a reader to pass through a neighborhood, gathering information about most of the people there.

Here's another scenario which is even more realistic; in fact, it's within reach of the current technology. You enter a store. A reader in the doorway gathers the information from the chips in your clothing - and instantly a clerk in the store with access to the readout knows everything you have on, where you bought it, when you bought it, and how much you paid for it. They know about the chip-holding Chapstick and the package of gum in your pocket or purse. If you have one of their customer cards, they have access to your entire purchasing history there.

And how is all this data going to be used? Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) provided an answer during a presentation to a June 21, 2004 FTC workshop on RFID technology. The group cited an article on CRM - "customer relationship management" - written by Marty Abrams, Executive Director of the Center for Information Policy Leadership, a project of the hotshot lawfirm Hunton & Williams. And if you think CRM means that you are something to be "managed" for the benefit of the corporation, you're exactly right.
At the most macro level, [Abrams wrote,] CRM is the process of using information technology and statistics to maximize a company's relationship with every current and potential customer. Maximization in some cases means providing while-glove service and pricing that expands the firm's share of that customer's wallet.

In other cases, it means marginal service and high prices designed to drive the unattractive consumer somewhere else. A critic of targeting - which I am not - might refer to this as digital redlining.
The privacy implications are so great that, just as in the check business, the industry is aware of the risk. In this case, however, the result is not to warn but to spin. EPIC notes that CASPIAN
located internal public relations documents which detail how RFID developers plan to offset public opposition to the technology. The documents, prepared by Fleishman-Hillard, a communications consultancy, suggest that RFID industry leaders are planning a public relations campaign designed to counter opposition to the pervasive use of RFID technology.
In its FTC presentation, CASPIAN said the plan was to "pacify consumers, convey [the] inevitability of RFID, [and] rely on consumer apathy." (The organization where the documents were found, the Auto-ID Center, closed up shop last October, declaring it had "completed its work," and transferred its technology to EPCglobal. That website says it has the archives of the Auto-ID Center, but I didn't find this particular document there, not that I was surprised by that. However, you can still find the documents at a mirrored site; the links can be found here. The Auto-ID Center lives on as Auto-ID Labs, a group of six universities around the world doing research on auto ID systems.)

Give EPIC the last word on the subject:
As RFID technology becomes more advanced, consumers may ultimately lose all ability to evade products implanted with chips. Corning researchers have developed tiny, barcoded beads that are invisible to the human eye. The microscopic beads can be embedded in inks to tag currency and other documents, and even attached to DNA molecules. ... Researchers say the technology could be ready for commercial use in three to six years.
Some technology already can't be evaded. Another point CASPIAN makes is that a number of stores are already using tracking technology to follow and record your movements on their premises, following where you go, how fast you go, where you stop, and for how long. One outfit, Sorensen Associates, already has contracts with over 80 stores plus colleges and day care centers across the country.

There are efforts to resist this trend. EPIC and CASPIAN are good places to start. And it may be possible to stop it altogether. Business Week for March 5 said
[w]hatever the motivation, it's clear that industry is finally getting the message: RFID is fine for pallets of goods in a warehouse, but not for people. In an age of ubiquitous surveillance cameras, government tracking systems, and biometrics, consumers dislike the idea that they can be tracked via packages of cream cheese, razor blades, and shampoo.

State legislators share this dislike, too. On Feb. 24, the Utah House of Representatives passed a bill mandating clear labeling of any product in which an RFID chip is embedded. A bill introduced on Feb. 27 in the California Senate goes further, arguing that retailers should need consumers' permission. ...

The proposal is sponsored by Sen. Deborah Bowen (D-Redondo Beach), a long-time privacy activist.... The new bill requires any business or state agency that uses an RFID system to track products and people to follow three rules. First, tell people that RFID is tracking and collecting information about them. Second, get express consent from customers before doing that. Third, detach or destroy tags before the customer leaves the store.
Katherine Albrecht, director of CASPIAN, says that business is coming to the point of accepting that RFID chips must be "killed" (deactivated) at the point of purchase. (There are those - count me among them - who argue that killing the chip isn't enough because as consumers we have no way of knowing if it actually was deactivated or not and we should not be - and must not accept being - in the position of having to blindly trust the merchants. Detach and dispose! Nothing short of that is acceptable.) The next big battle will be what happens inside the store: Who owns that information?
Legally, it belongs to the store. The U.S. Supreme Court has ruled time and again that individuals have no reasonable expectation of privacy in public venues. That's why RFID detractors such as Albrecht say they're prepared to use their buying power to stop practices, such as covert tracking of shoppers, which they consider anticonsumer.
The issue of that reasonable expectation of privacy needs to be joined directly. It was developed at a time when that lack of privacy involved being in a situation where you could be observed by human faculties, perhaps enhanced by basic technology such as binoculars or even a camera. But RFID technology promises to not only observe but make a permanent record of your behavior, including, potentially, things which are invisible to a human observer. Can we as a people safely accept the notion that our reasonable expectation of privacy reaches only to those areas which cannot at that moment be reached by our most advanced technology? If not, a line must be drawn. And I say draw it at the warehouse.

No comments:

// I Support The Occupy Movement : banner and script by @jeffcouturer / jeffcouturier.com (v1.2) document.write('
I support the OCCUPY movement
');function occupySwap(whichState){if(whichState==1){document.getElementById('occupyimg').src="https://sites.google.com/site/occupybanners/home/isupportoccupy-right-blue.png"}else{document.getElementById('occupyimg').src="https://sites.google.com/site/occupybanners/home/isupportoccupy-right-red.png"}} document.write('');